home *** CD-ROM | disk | FTP | other *** search
/ Hacker Toolbox (Professional Edition)
/ Hacker Toolbox Professional Edition (TradeTouch) (2003).iso / snoop / idscenter11rc3.zip
download all originals (max 1 GB)
File Comment
==============================================
IDScenter 1.1 Release candidate 3
(14/06/2003)
---
Snort management and configuration frontend
==============================================
Content
---------
1. Description
2. System requirements
3. Installation
4. Versions history
5. Known BUGs
6. Terms of use
7. Reporting problems
1. Description
----------------
Description: IDScenter is a front-end for Snort intrusion detection systems (www.snort.org)
Platform: Windows 2000/XP/NT
Version: 1.1 RC3
Author: U. Kistler (u.kistler@engagesecurity.com)
Features:
* Snort 2.0, 1.9, 1.8 and1.7 support
o easy access to all settings
o Interface listing using WinPCAP
o inline configuration support (options in configuration file instead of command-line parameters, if available)
* Snort service mode support
o IDScenter takes over control of the Snort service
* Snort configuration wizard
o Variables
o Preprocessor plugins
o Output plugins (Syslog output plugin configuration for Snort 2.x and Snort 1.9.x supported!)
o Rulesets
* Online updates of IDS rules: IDScenter integrates a http client and starts an update script on demand
o Full configuration frontend for Andreas ╓stlings Oinkmaster perl script
o custom interval for update checks
* Ruleset editor: supports all Snort 2.0 rule options
o Easily modify your rules
o Sort rules based on source IP, port, etc.
o Import rules from files or websites into existant rulesets
* HTML report from SQL backend
o IDScenter can generate HTML output from your SQL database
o Custom HTML template
o Decoding of TCP Flags and more, Hex/Base 64 payload decoding, mutli-threaded DNS resolving possibility
* Alert notification via e-mail, alarm sound or only visual notification
o Threaded e-mail sending with custom send interval
o SQL queries can be included in an AlertMail message, which are processed on demand (see above)
o Possibilty to send the last # lines of your Snort log
o Notification of attack is also possible with Snort logging to MySQL
o Add attachments (e.x. the current process list generated by another program)
* AutoBlock plugins: write your own plugins (DLL) for your firewall
o ISS NetworkICE BlackICE Defender plugin included (possibility to block IP's, TCP and UDP ports, ICMP packets, set block duration)
o Delphi framework included for fast writing new plugins for other firewalls
o Test configuration feature: fast testing of your IDS configuration (Snort rule syntax checking etc.)
* Monitoring:
o Alert file monitoring (up to 10 files)
o MySQL alert detection: allows centralized monitoring of all Snort sensors
* Log rotation (compressed archiving of log files)
o Backup your logfiles automatically, set log rotation period (day, week, month, interval)
* Global event logging
o Log events such AlertMail sending, Log rotation, Online updates, etc.
* Integrated log viewer
o Log file viewer
o XML log file viewer
o HTML/website viewer (support for ACID, SnortSnarf, HTML ouput generated using IDScenter's report template page etc.)
o CVE search and WHOIS lookups
* Program execution possible if an attack was detected
2. System requirements
------------------------
- Windows NT/2K/XP
- Winpcap 2.3 or higher
3. Installation
-----------------
Start setup.exe
4. Versions history
---------------------
5.6.2003:
- RPC preprocessor options added
- Some very small bug fixs
3.6.2003:
- New registry key: HKEY_LOCAL_MACHINE\Software\Engage
19.5.2003:
- Snort 2.x support finished
- Rule keywords added: distance, within, byte_test, byte_jump
- Snort 2.x Syslog output plugin support added (host=..)
- Output plugin syslog: Support for Snort 1.9 and Snort 2.0 configuration of Syslog plugin
- Cancel button in Output plugin wizard
- CSV output plugin parsing added (not implemented is SNMP plugin option parsing)
15-17.5.2003:
- Snort 2.x support coding
- Snort inline configuration support finished
- HTML report generator from SQL database source
9.4.2003:
- Rule editor: IP packet tags are realigned following RFC
- IDS ruleset text editor: Buttons in toolbar
- Updated zip DLL
- Classification / Reference files (*.config) are listed Rules/Signatures dialogbox
Bug fixes:
- Rule management editor: Importing rules doesn't replace the filename by the temporary file for imports
4.4.2003:
- Classification editor list: Sort by column feature added
3.4.2003:
- Ruleset management:
- Ruleset can be sorted by clicking on a column (signature name, action,protocol,src ip,src port, dst ip, dst port, direction & options)
- Question to save changes
- Oinkmaster wizard modifications
- Quite a lot of redesign
- Bugfix: updating does not work if no rule was selected
23.3.2003:
- Snort online rule updates: Update check using last-modified tag by IDScenter in a specified interval (15 min<)
- Rules are updated using a modified version of Oinkmaster by Andreas ╓stling
- Configuration frontend for Oinkmaster
19.3.2003:
- Multi-threading and optimized DNS lookup implemented (2 ip lookups/thread)
- AlertMail is a thread (application is not blocked during the mail is sent)
18.3.2002:
- DNS lookups can be activated for MySQL alertmail logs
17.3.2003:
- AlertMail: MySQL query support added, Output in HTML (multiple queries possible)
- CVE search links
- Human readable headers (not MySQL database field names)
- WHOIS lookup link (private addresses are excluded)
- Decoding of packet information
- TCP Flags
- Payload decoding (format: "encoded payload ASCII=decoded payload"): Hex to Ascii, Base64 to Ascii
- non-printable caracters are replaced by a red `
- WHOIS server changed: ripe.net
- Adding last # lines is possible when file detection is deactivated (standard log file is read)
11.2.2003:
- Exit procedure is better and prevents a possible access violation problem
10.2.2003:
- IDScenter rule editor: When creating a new rule, the comboboxes were not filled with available variables
7.2.2003:
- AlertMail:
- Removed file existance check for AlertMail attachments when clicking on Apply
6.2.2003:
- Apply: Snort service is set to start automatically when booting the computer (Snort itself does set it to manual start)
5.2.2003:
- updated preprocessor configuration code (Stream4, Stream4_reassemble, Frag2 (fixed detect_state_problem))
- bigger edit box for http_decode port list
2.2.2003:
- New menu design
- Service mode start timeout is 10 seconds (added an internal timer)
1.2.2003:
- Simple import feature to add new rules from a text/file
- Cleaning procedure for BlackICE rules included in BlackICEv1 and BlackICEv2 plugin
- Removes all rules with "IDScenter AutoBlock" description
31.1.2003:
- Plugin system: Memory leak fixed and access violation problems resolved
(caused by Borland Delphi VCL Control.pas and bad compiler options..)
-> modified Plugin SDK!
28.1.2003:
- Portscan2-Ignorehosts support
27.1.2003:
- Splash screen
4.1.2003:
- AlertMail: new SMTP client integrated
- IDScenter interface dialog
- Home_net parameter is a combobox
- Interface list uses WinPCAP API
- AutoBlock:
- new scan engine: extracts IP, TCP/UDP port, ICMP type and code
- An exception in a DLL will propagte to IDScenter if it is not handled,
but will not cause IDScenter to stop
- BlackICE v1 and v2 plugins:
- Filelock that prevents BlacKICE changing the rules while IDScenter is already changing it
- Version 1 provides similar functionality like the previous Network ICE BlackICE Defender plugin
- Version 2 supports blocking of TCP/UDP packets (only blocking port)
and ICMP packet blocking based on type and code
- Log settings
- Dump 802.11 management and control frames (-w) option added
- Rule management: Complete redesign of the interface
- Rule editor:
- Reference Browser (URL are not taken from Snort user manual, but this ones work)
- supports BID, CVE, ArachNIDS, McAfee, Nessus and URLs
(Type for example "Bugtraq,323" in address bar)
- Borland's memory manager was replaced by FastShareMem (Author: Emil M. Santos)
- borlndmm.dll is no longer used
- Small design errors corrected
Bug fixes:
==========
Log settings
- Stream4 parameter corrected (-z)
Rule editor
- flow statement fix, content matcher options for all content matcher
- a few other rule edit/save bugs (nobody seems to have noticed the bug .. but anyway.. ;) )
- Editor frontend bug fixes (Clear button is locked while editing a content tag)
- tab order
26.12.2002:
- AutoBlock: Added IP validation to minimize the risk of parsing errors (Snort alert logging problems)
25.12.2002:
- Preprocessor wizard: http_decode: maximum length removed
- AlertMail: corrected possible problem in handling e-mail alerts (sends in interval of 10 seconds if possible)
- MySQL database testing: Test query field is cleared before the database request
17.12.2002:
- updated setup package
- plugin framework update (index method removed)
- Borlndmm.dll: use of ShareMem lib requires the dll
16.12.2002 IDScenter 1.09 beta 2.3:
- Updated Plugins (memory leak fix)
- Plugin Framework for Delphi:
- Use of ShareMem library
- PChar for base directory parameter
- Handle procedure: setup window not visible in taskbar now
- BlacKICE plugin:
- Exclude list problem fixed
- possible Memory leak fixed
- PChar for base directory parameter
- small fixs
- IDScenter: cleaner handling of alert situation
- updated libmysql.dll to version 3.23.54
- small OLECtrl code fix (should prevent memory leak with TWebBrowser, but..)
November release 2002:
- Snort 1.9 support added
- Snort /SERVICE support
- Rule management and editor: supports *all* Snort 1.9 rule options
- easy editing of rules in IDScenter
- fast activation/deactivation of rulesets or single rules
- Classification file editor
- AutoBlock: Plugin interface, develop your own firewall plugins as DLL
Delphi Framework with example is included
- Test configuration started with -T option to get more configuration information
from Snort itself.
21.9.2002:
- Full support of all Snort 1.9 Win32 preprocessors
- Test configuration: -T used by default (Snort 1.9)
Bug fixs:
- Better parsing of port list
20.9.2002:
BUg fixs:
- Output plugin wizard: log/alert mode
10.9.2002:
Bug fixs:
- Design: Arpspoof-Unicastcheckbox position changed, Stream4 dowriteconf, Pluginsetup button disabled by default
31.8.2002:
- AutoBlock plugin support: Network ICE BlackICE Defender plugin created
- Custom rule order can be specified
Bug fixes:
- Apply button can not be clicked when a list is edited (variable, Output & ruleset wizard)
- small changes in ruleset wizard
28.8.2002:
- Reading of rule completed
Bug Fixs:
- Start/Stop pop-up menu items enabled/disabled correctly when starting IDScenter first time
- Output plugins: XML encoding string was not correctly parsed
- Output plugins: GUI design modified
22.6.2002 IDScenter BETA 2.1:
- Added min_ttl, ttl_limit options for frag2 and stream4 preprocessors
Bug fixs:
- Output plugins panel: add/delete button problems
- Preprocessors panel: small changes
20.6.2002 IDScenter BETA 2:
- Snort configuration wizard (supports all snort configuration parameters, except SPICE preprocessor)
- MySQL alert detection
- XML viewer and XML server (experimental)
- Full redesign/structure
- Advanced log rotation features
- Weekly rotation
- Interval rotation
- Manual in HTML (manual.zip)
- Internet Explorer browser integration (for ACID/SnortSnarf etc., Print information from website)
Bug fixs:
- Test configuration patched for Win2k systems
- Stream4 option -z: all, est .. syntaxerror fixed
- Log rotation modifications:
- some code fixed
- Killed Snort process: autorestart procedure modified
- AutoBlock sometimes couldn't open BlackICE configuration files
- Log rotation: small bug fixed
7.3.2002:
- only fixs
Bug fixs:
- AutoBlock had a problem with spp_portscan, because i changed something without checking correctly
what i did... sorry!
- "Reload configuration" problem was fixed (Snort started 2 times)
- "Snort configuration wizard" problem fixed (form disabled if no snort.conf was set)
- Tray: Popup-default is set correctly after alert log was displayed
6.3.2002:
- IDScenter starts Snort from it's directory... no need to specify Snort directory in Snort.conf anymore
- AutoBlock: IDScenter can parse Snort 1.8.x logs (all plugins supported: Portscan, Stream4, Unidecode, etc.)!
-> It's very cool... try it!!! Try to start an attack... IDScenter AutoBlock will prevent it with BlackICE!
-> Your IP will not be blocked of course
- AlertMail: mails are also sent, when an alarm was already launched before
- some new design (i'm not a good icon designer, i know ;-) )
- Experimental: Snort configuration wizard (IDS Rules panel)
-> Reads Snort configuration file and parses Variables, Preprocessor plugins and Ouput plugins lines
- IDScenter window is shown in taskbar -> it's better i think
Bug fixs:
- A bug in 1.09 beta AutoBlock was corrected... now all log entrys are parsed!
- Windows NT AutoRun bug corrected (paths with spaces supported)
- SMTP log editbox is writeable (read-only before)
- SMTP log window bug was corrected
Note: I tested AutoBlock with BlackICE 2.2 and 3.0 Eval (http://www.iss.net/products/networkice/eval/)
-> Nessus attacks
-> SecuritySpace.com: Nessus attacks from web
-> nmap
-> Saint
-> whisker attacks on Apache (Hello RFP!)
IDScenter is very STABLE now... i corrected most of this "random features" ;-) (bugs)
Thanks for using IDScenter 1.09 beta!
12.1.2002:
- Snort will be executed from its location -> no need to change relative paths to absolute path in configuration
-> Folder with spaces in pathname supported
- AutoBlock for Snort 1.8.x implemented! It parses all logs: Full, Full/MAC, Fast, Portscans, Spp_stream4, spp_backorifice
- AlertMail: some problems with AlertMail fixed
- New folder dialog for rotate backup
26.11.2001: small change of IDScenter 1.09 public beta
- download link to new Snort.org-rulesets updated: direct download possible
- SecuriTeam.com: integrated log viewer can search SecuriTeam.com for security information
-> I prefered whitehats.com with their arachNIDS database...
- and... a new homepage since yesterday: www.eclipse.fr.fm hosted by EMojo.com.
-> they host a ColdFusion server with Affino (a very good content-managment system!)
New features that were included:
- Snort 1.8/1.7 support (1.6 no longer supported)
- Last # lines of alert log in e-mail message
- Log rotation, daily/monthly, time, zipped
Info: if you have problems using log rotation, copy the .dll in your %WINDOWS%\System32 directory
- AutoBLOCK : IDScenter support Network ICE BlackICE firewall for blocking intruders.
Info: Snort log is read - IDScenter 1.09 public beta supports ONLY full, fast, MAC log formats.
- up to 10 files monitoring
- New error information system
- New menu structure
what will be included (i hope... ;-) ):
- MySQL alert detection
- .. other databases alert detection?
- rule creation wizard (like IDSPolicy editor), also with FTP support
- automatic download&installation of new rulesets (from whereever YOU want).
Corrected bugs since 1.08d:
- AlertMail works correct
- Visual effect: the tray-icon procedure caused a display problem
- some other small bugs (optimization)
5. Known BUGs
---------------
- none known -
6. Terms of use
-----------------
This software is provided "as is", without any guarantee made as to its suitability or fitness for any particular use. It may contain bugs, so use of this tool is at your own risk. We take no responsilbity for any damage that may unintentionally be caused through its use.
You may not distribute Engage Packet builder in any form without express written permission of Engage Security.
7. Reporting problems
-----------------------
If you encounter problems, please visit http://www.EngageSecurity.com and download the latest version to see if the issue
has been resolved.
If not, please send a bug report (in english or french) to :
U.Kistler@EngageSecurity.com
<EOF>
Archives (1)
| Name | Format | # Files | Size | Date
|
|---|
| setup.exe
| Inno Setup installer
| 3
| 3.8 MB
| 2003-06-18
|